Authenticate Virtual Summit Series

Authenticate Summit Recap: The FIDO Fit in IoT

By: FIDO Staff

The Internet of Things (IoT) is an increasingly critical and difficult area for IT devices that need to be secured.

At the Authenticate Virtual Summit: The FIDO Fit in IoT held on Dec. 7, a series of experts outlined FIDO Alliance efforts to help device manufacturers and developers better secure IoT. A key theme of the event was all about understanding how the FIDO Device Onboarding (FDO) specifications can help improve IoT security.

David Turner, director of standards development at FIDO Alliance, kicked off the event by noting that passwords remain a large problem across the IT industry. The challenge of passwords is compounded with IoT devices, which scale into the millions and potentially billions of devices. Challenges with passwords for IoT include password re-use, which can be a huge problem with IoT. If a system ships with a default password, it can be trivially easy for attackers to exploit.

“Hackers don’t break into IoT, they log into it,” Turner said.

One way to help secure IoT is with the FIDO Alliance’s FDO standard. Turner explained that FDO is an open standard that allows organizations to quickly and securely onboard IoT devices.

Small things, big impact: The path to FDO

Rolf Lindemann, director of product at Nok Nok and one of the leaders of the FIDO Alliance IoT Technical Working Group, explained that FIDO authentication standards are applicable to users as well as device authentication.

Lindermann said that there is a clear need to have a strong foundation to help secure IoT. The first step is to have hardened hardware elements at the CPU level including things like TPMs, TrustZone and SGX which are provided by the silicon vendors. The next critical step is to add device level attestation to help with supply chain integrity that also helps to reduce the complexity for device onboarding. The third step is to have strong authentication, that ensures only legitimate entries get access.

“To make the IoT ecosystem more secure, you need strong authentication that’s the front door providing fishing resistance and being still practical for daily large scale use,” Lindermann said. 

How FDO tackles the onboarding challenge

The challenge of onboarding is where the FDO specifications come into play.

Richard Kerslake, general manager of industrial controls and robotics, IoT business unit at Intel, explained that onboarding is the process by which a device can establish a trusted connection with a service or platform.

“We have an IoT device, it’s going to connect to a platform or service and we just need to be sure that everyone in that equation is who they say they are,” Kerslake explained. “Is the device talking to the platform that it thinks it is talking to, and is the platform talking to the device that it thinks it is talking to. So we really need to make sure that both sides of that equation are true.”

Onboarding today is often a very manual process. The promise of FDO is an automated approach that benefits from strong authentication. Kerslake explained that in December 2019 the decision was made to base the FDO specification on Intel’s Secure Device Onboard technology. The FDO 1.0 specification was released in March 2021 and updated to version 1.1 in April 2022.

Going a step further beyond just the specifications FIDO has worked with the Linux Foundation’s LF Edge project which has an open source implementation of FDO.

Going for a deep dive with FDO

There is a fair amount of nuance and details that go into the FDO specification.

In a deep dive session, Geoffrey Cooper, principal engineer, IoTG at Intel, explained the workflow, technical specification and procedures that enable FDO implementations.

Cooper explained that for example if a device is drop-shipped to a location and the device gets powered up and connected to the network, the goal with FDO is to enable that device to figure out who it’s supposed to connect to with proper authentication, sets everything up, and then it goes right into service.

“The idea is we’re taking something that was a very heavy touch kind of operation that we’re turning it into a zero touch operation,” Cooper said.

Enabling that zero-touch approach with FDO involves a series of protocols that are part of the specification. The protocols include device initialization and onboarding components. There is also a concept known as the FDO Service Info Module (FSIM) that provides an extension mechanism to help support devices.

During a robust Q&A session during the Authenticate virtual event, attendees asked a wide variety of questions.

Among the questions was one about what’s needed to help spur adoption for FDO.  Kerslake said there are companies today in different industry verticals including the energy sector, where operators are saying they will not proceed with bringing in new devices without an automated secure onboarding solution.

There are also a growing number of industry solutions that support FDO. Megan Shamas, senior director of marketing at the FIDO Alliance, said that by developing FDO in an industry standards body there are lots of opportunities for collaboration and promotion as well.

“We are in the midst of creating an implementer showcase, which should be live on the website soon,” Shamas said.

The path toward FDO certification

Looking beyond just the FDO specification there is also a need for certification, which is something the FIDO Alliance is now working on.

Paul Heim, director of certification at FIDO Alliance, said that  product certification ensures standardization and interoperability of products within an industry. He added that one of the most important factors about certification is that it helps to ensure consumer enterprise, and industrial protection. The lifecycle for FDO certification includes both functional and security certification.

“The FIDO device onboard certification program is intended to certify IoT devices and onboarding services certification that will be available for both FIDO members, and non-members,” Heim said.

The certification effort is still in development with a program launch set for the first quarter of 2023.